In 2026, cyber-attacks are not just a destructive force for the internet but are now a tool of various actors to inflict considerable damage to their enemies. War in the 21st century has evolved from the battlefield into cyberspace, and companies not caught in conflict are vulnerable. The medical supply company Stryker learned this recently, as its entire network was compromised.
On March 11th, Stryker Corporation, a medical equipment supplier, revealed that it had been attacked. Within minutes of intrusion:
- Over 200,000 devices, including servers, PCs, and mobile devices, were erased.
- Some departments saw up to 95% system loss.
- Employees watched devices shut down in real time.
- Systems were defaced with propaganda, confirming attacker control.
Over 200k endpoints were compromised, essentially bricking them and over 50 terabytes of data were deleted. “The assault, launched shortly after midnight on March 11, 2026, bypassed traditional defenses and likely weaponized the company’s own administrative tools to trigger a global reset or “wipe” of its hardware.” (1)
Unlike most recent attacks, which focused on extortion, this was an act of pure sabotage. The claimed attacker was the Iranian-backed group Handala, a group that was spurred to act by recent attacks on the country. The early forensics of the hack revealed that they didn't use the normal ransomware tricks. Rather, they were able to access the admin tools through some leaked credentials and perform the equivalent of a factory reset on all of these systems. “Over 200,000 systems and devices – from Windows servers and PCs to mobile phones – were reportedly wiped clean or reset within minutes. Many employees watched their computers and phones get wiped in real time as the malware was executed.
In some departments, up to 95% of devices were erased before anyone could react. Alongside the data wiping, the attackers defaced login screens with Handala’s logo and propaganda messages, confirming their presence.”(2)
The attack itself was an outlier compared to more recent attacks. In most attacks in 2025, a threat vector was ransomware. Ransomware is where they trick an unwilling accomplice into handing over their credentials. Evolutions of this concept include spoofing emails, fake ads, and fake calls. This particular attack was much more in your face, similar to hacking at the beginning of the century before ransomware became a common thing. They were able to brute force their way into finding the right credentials and then systematically turn off an entire network. “In a recent intrusion attributed to Handala, initial access is believed to have been established well before the destructive phase, with network access dating back several months. This earlier activity likely provided the group with persistent access and the Domain Administrator credentials required to carry out the attack. In the hours leading up to the destructive activity, Handala appeared to validate its access and test authentication using the compromised credentials.” (3)This coordinated action shows meticulous planning that can and will destroy networks if the wrong credentials are compromised.
The Iran-based attack reveals a wider issue of state-based actors that can destroy various systems around the world. Before the war in Ukraine, for example, hackers in both Russia and Ukraine regularly sent out massive attacks, including the infamous Petya virus. When war broke, they shifted priorities, but other state-connected actors are still considered a bigger threat. Even smaller attacks can still do incredible damage.
Another issue facing Stryker in paying for the damage is that they might not be able to cover it under their insurance policies. In many standard insurance policies, there exists an exclusion for “Acts of War” , referred to as the War exclusion. In the event a loss is triggered directly or indirectly by an Act of War as defined in the policy, there may not be coverage for any claims resulting from such actions. This is one of the reasons ships passing through a potential war zone try to avoid it. Unfortunately, there is a grey area in cyber insurance. In a memo sent by Lloyds in 2023 when they expanded war exclusions to include cyber, “The war exclusion, referred to as LMA5667A, has emerged as the most widely used of the war exclusions that meet Lloyd’s guidelines. This exclusion excludes all losses arising out of war and cyber operations that are part of war. Cyber operations deployed by nation-states outside of war may or may not be excluded depending on the specific facts. Only those losses arising from affected computer systems located in countries that meet the criteria for an “Impacted State”[1] are excluded.” (4) This wording implies that the determination on whether or not these came from a state or independent actor and therefore whether or not the war exclusion will apply. Many policies, particularly those aligned with Lloyd's of London, include broadened war exclusions.
This wording is only one example of how a War Exclusion may be applied as each carrier has their own wording relating to this issue.
This creates a major coverage question. If the attack is attributed to a state-backed group, then insurers might not cover this claim or claims that might arise by third parties affected by the attack. If it’s unclear who attacked you, then it creates a legal headache for all involved that stretches longer than the actual conflict. In addition, coverage can be affected by how one interprets what bricking a device is, whether it’s a failure or a pure data loss. Even interruptions cannot be covered, depending on circumstances. As a result, many insureds who would need this coverage are underinsured.
The cyber-attack on Stryker reveals that cyberattacks are not just weapons by isolated groups, they can be used by states to create havoc. With the right access, they can destroy anything they get their hands on. For the victims, there might not be any recourse in recovering the damage due to insurance clauses. This is a reminder that vigilance in these chaotic times can go a long way.
